>> Announcer: Live from Washington DC, it's theCUBE, covering .conf2017, brought to you by Splunk. >> Well good morning, welcome to day two, Splunk .conf2017 here in Washington DC, theCUBE very proud to be here again for the seventh time I believe this is. John Walls, Dave Vellante. Good morning, sir, how are you doing, David? >> I'm doing well thank you. >> Did you have a good night? >> Yeah, great night. >> DC, I know your son's here >> Walked round the district a little bit, yeah, it was good. >> It's good to have you here. >> At the party last night upstairs, (John laughs) talked to a few customers, trying to find out what they didn't like about Splunk, and it was not a lot of things. >> That would be a short conversation I think. We can do us, we got a couple of keynote rockstars with us this morning, Haiyan Song, who's the Senior Vice President of Security Markets at Splunk. Haiyan, good to see you again. >> Great to see you too. >> John: Thanks for coming back, Monzy Merza, who was the Head of Cybersecurity Research at Splunk. >> Thank you for having me. >> John: Monzy, commanding the stage with great acumen today, good job there. >> Monzy: Thank you. >> Yeah we'll get into that a little bit later. But first off, let's just kind of set the table here a little bit. I know this is a bit of transformational year for you in terms of security, in how you're building out your portfolio, and your services, and so kind of walk us through that. What are you doing, Haiyan, in terms of, I guess being available, right, for whomever, whenever, wherever they are in their security journey you might say. >> Journey is the keyword this year, and nerve center is another one that I highlighted at my super session yesterday. So when I reflect on, this is your seventh year, and when I reflect on the last three years, right, we came in and really talked about the enterprise security product on the first year. And second year we talked about, you know, how UBA adds to the capabilities for better detection and machine learning. We introduced different features. This year we didn't start the conversation on, "Here's a new feature". This year we started the conversation on you need to build a security nerve center. That's the new defense system. And there's a journey to get there, and our role is to enable you on that journey every step of the way. So it's portfolio message, and not only for the very advanced customers, who want machine learning, who want to customize the thread models. Also for people who just started, to say I have the data, and help me get more insight into this, or help me understand how leverage machine data across domains to really correlate and connect the dots, and do investigations. Or what are the important things to set up the basic operations. Very, very excited about the ability, transformational year, as you mentioned, that we can bring the full portfolio to our customer. >> So, Monzy, you've said in your keynote today, defenders can succeed. We talked off camera, you're an optimist. And all we need is this nerve center. So to date, has that nerve center been missing, has it been there and people haven't been able to take advantage of it, have the tools been too complicated? I wonder if you could unpack that a little bit? >> I think what's happened over the course of many years, as the security ecosystem matures and evolves, there are a lot of expert technologies in a variety of different areas, and it's a matter of bringing those expert technologies together, so that the operations teams can really take advantage of them. And you know, it's one thing to have a capability, but it's another to leverage that capability along with another capability and combine the forces together, and really that's the message, that's Haiyan's message, that's been there for the nerve center, that we can bring together. And so when I say the defender has an advantage, I mean that, because I feel that the operations teams, the IT teams, as well as the security teams, have laid out a path, and the attacker cannot escape that path. You have to walk down a certain path to get to something to achieve or to steal or to do whatever, or damage that you need to do. So when you have a nerve center, you can bring all the instrumentation that's been placed along those path to make use of it. So the attacker has to work within that terrain. They cannot escape that terrain. And that's what I mean, is the nerve center allows for that to occur. >> Now you guys have talked for a long time about bringing analytics and security, those worlds together. We've always been a big obviously proponent of that, but spending's just starting to shift, right. They're still spending a lot of money on the perimeter. I guess you have to. We all see the numbers, security investments continue to increase. But where are we today with regard to analytics and being able to proactively both identify and remediate? >> So I just echo what you just said. I'm so pleased to see the industry started the shifts. I think being analytics-driven is really top of mind for people, and using machine learning automation to help really speed up the detection and even response are top of mind. We just did a CISO Customer Advisory Report on Monday, and we always ask when we start the meetings, "Tell us your top of mind challenges, "tell us your top of, you know two investment, and what's the recommendation for Splunk?" And better, faster response, better faster detection and automation and analytics is top of mind for everybody. So for us, this year, extremely, extremely happy to talk about how we're completing that narrative for analytics-driven security. >> Well on that point, you talk about analytics stories, and filling gaps, putting an entire narrative together so that somebody could loosen up the nuts, and they can see exactly where intrusions occur, what steps could be taken, and so on and so forth. So, I mean, dig a little deeper on that for us, maybe Monzy, you can jump on that, about what this concept of analytics stories, and then how you're translating that into your workplace. >> We thought about this for quite some time in terms of drilling down and saying, as analysts and practitioners, what is it that we desire? The security research team at Splunk is composed of people who spend many, many years in the trenches. So what do we want, what did we always want, and what was hard? And instead of trying to approach it from the perspective of, you know, let's just connect the dots, really take an adversarial model approach to say, "What does an adversary actually do?" and then as a defender, what do I do when I see certain things happening? And I see things on the network, I see things on the end point, and that's good, and a lot of people talk about that. But what do I do next? As the analyst, where do I go, and what would be helpful to me? So we took this concept of saying, let's not call them anything else, we actually fought over this for quite some time. These are not use cases, because use case has a very different connotation. We wanted stories because an adversary starts somewhere, adversary takes some action. The defender may see some of that action, but then the defender carries on and does other things, so we really had this notion of a day in the life, and we wanted to capture that day in the life of the prospective of what's important to their business, and really encapsulate that as a narrative, so that when the analysts and security operations teams get their hands on this stuff, they're not bootstrapping their way through the process. They have a whole story that they can play through, and they can say, and if it doesn't make sense to them, that's okay, they can modify the story, and then have a complete narrative to understand the threat, and to understand their own actions. >> So we hear the stat a lot about how long it takes for organizations to identify an intrusion. It ranges I've been seeing, you know, service now flashing 191, I've seen it as high as 320. I'm not sure there's clear evidence that that number's compressing. I think it's early days there, but presumably analytics can help compress that number, but when I think about things like, you know, zero day signatures, and other very high tech factors that are decades old now. Can analytics help us solve those problems? Can the technology, which kind of got us into this mess, get us out of the mess? (Monzy and Haiyan laugh) >> That's such a great point. It is the technology that just made our lives so much easier, as you know, living, and then it complicate it so much for security people. I'll give you a definitive yes, right. Analytics are there to help detect early warning signs, and it will help us, may not be able to just change the stats right now for the whole industry, I'm sure it's changing stats for a lot of the customers, especially when it comes to remediation. The more readily available the data is for you when you are sort of facing an incident, the faster you can get to the root cause and start remediate. That we have seen many of our customers talk about how it was going from weeks to days, days to hours, and that includes not just technology, but also process, right? Process streamline and automating some of the things, and freeing up the people to do the things that they're great at, versus the mundane things, trying to collect the information. So I'm also a glass half full person, optimist, that's why we work together so well, that we really think being data driven, being analytics driven, is changing the game. >> What about the technology of the malware? I think it was at a .conf, I think it was 2013, one of your guest speakers gave us an inside look at Stuxnet. Of course by then it was seven, eight years old, right? But it was fascinating, and you know you read more about it, and you learn more about it, and it's insidious. Has the technology on the defender side, I guess was my real question, accelerated to keep up with that pace? Where are we at with the bad technology and the good technology? Are they at a balance now, an equilibrium? >> I think it's going to be a constant evolutionary process. It's like anything else, you know, whether you look at thieves or whether you look at people who are trying to create new innovative solutions for themselves. I think the key that, this is the reason why I said this morning, is that defenders can have, I think I said unfair advantage, not just an advantage. And the reason for that is, some of the things Haiyan talked about, with analytics, and with the availability of technology that can create a nerve center. It's not so much so that someone can detect a certain type of threat. It's that we know the low fidelity sort of perturbations that cause us to fire an alarm, but there's so many of those that we get desensitized. The thing that's missing is, how do I connect something that is very low threshold, to another thing that's very low threshold, and sequence those things together, and then say, you know, combined all of this is a bad thing. And one of my colleagues uses as example, you know, I go to the doctor and I say you know, "I've got this headache for a long time", and the doctor says, "Don't worry, you don't have a tumor." And it's like, "Okay, great, thank you very much," (Dave laughs) but I still have the headache >> Still have the headache. >> And so this is why even in the analytics stories we use, and even in UBA and in enterprise security, we don't use the concept of a false positive. We use the concept of confidence, and we want to raise confidence in a particular situation, which is why the analytics story concept makes sense, is because within that story, the confidence keeps raising as you go farther and farther down the chain. >> So it's a confidence, but also married, presumably through analytics, with a degree of risk, right? So I can understand whether that asset is a high value asset or John's football pool or something like that. >> John: Which is going very well right now by the way. (all laugh) Bring it on, very happy. >> Now you guys have come out with some solutions for ransomware. I tweeted out this morning that I was pleased at .conf that we're talking about analytics, analytic-driven solutions to ransomware, and not just the typical, when we go these conferences, the air gap yap. Somebody tweeted back to me, said, "Dave, until we see 100% certainty with analytics-driven solutions, we better still have air gaps." So I guess I wanted, if you guys could weigh in on what should people be thinking about in terms of ransomware, in terms of an end to end solution. Can you comment? >> I will add and... So for us, right, even to follow on the last question you had, the advancement in technology is not just algorithms, it's actually the awareness and the mindset to instrument your enterprise, and the biggest information gap in an incident response is, I don't have the data, I don't know what happened. So I think there's lot of advancement happened. We did a war game, you know, tabletop exercise, that was one of the biggest takeaways. Oh we better go back and instrument our enterprise, or agency, so when something does happen, we can trace back, right? So that's number one. So ransomware's the same thing. If you have instrumented your infrastructure, your applications stack, and your cloud visibility, you can actually detect some of the anomalies early. It's never going to solve 100%. So security is all about layered defense, right. Adapting and adding more layers, because nobody is really claiming I can be 100%, so you just want to put different layers and hoping that as they sift through, you catch them along the way. >> I think it's a question of ecosystem, and really goes back to this notion that different people have instrumented their environments in different ways, they deploy different technologies. How much value can they get out of them? I think that's one vector. The other vector is, what is your risk threshold? Somebody may have absolutely zero tolerance for air gaps. But I would, as a research person, I would like to challenge even that premise. I've been privileged to work in certain environments, and there are some people who have incredible resources, and so it's just a question of what is your adversary model that you're trying to protect yourself against, what is your business model for which you're willing to take over that risk? So I don't think there is a too high endpoint, there isn't a single solution for any of these number of things. It really just has to match with your business operation or business risk posture that you want to accommodate. >> You know what, you're almost touching on a point that I did want to hit you up on before you left, about choice, and you know, it's almost like personal, how much risk am I willing to take on? It's about customization, and providing people different tools. So how much leash do you give people? I mean do you worry that if we allow you to do too much tinkering you actually do more harm than good? But how do you factor all that in to the kind of services that you're offering? >> I think that ultimately it's up to the customer to decide what's valuable and what's critical for their business. If somebody wants a complete solution from Splunk, we're going to serve those customers. You heard a number of announcements this week from ES Content updates, to opening up the SDK, you know, with UBA, to the security essentials app releases, and all of those different kinds of capabilities. On the top end of it, we have the machine learning toolkit. If you have experts that want to tinker and learn something more, and want to exert their own intuition and energy on a compute problem, we want to provide those capabilities. So it's not about us, it's about the ability for our customers to exert what is important to them, and get a significant advantage in the marketplace for their business. >> I think it's important to point out too for our audience, it's not just a technology problem. The security regimes in organizations for years has fallen on IT and security practitioners, and we wrote a piece several years ago on Wikibon Research, that bad user behavior is going to trump good security every time. And so it's everybody's responsibility. I mean it sounds like a bromide, but it's so true, and it's really part of the complete solution. You know, I mean, I presume you agree. >> Totally. Going back to the CISO Advisory Board, one of the challenges they pointed out is user accountability. That's one of the CISO's biggest challenges. It's not just technology. It's how can they train the users and make them responsible and somehow hold them accountable. I thought that was a really very interesting insight we didn't talk about before. >> Yeah, you don't want to hear my bad, but unfortunately you do. Well, we were kind of kidding before we got started, we said, "We've got an hour to chat." It seems like it was just a matter of minutes and so thank you for taking time. We could talk an hour, I think. >> Monzy: Oh easy. >> Fascinating subject. And we thank you both for your time here today, and great show. >> [Haiyan And Monzy] Thank you for having us. >> Haiyan: It's always a pleasure to be here. >> You bet, all right, thank you Haiyan and Monzy. Back with more of theCUBE here covering .conf2017 live in Washington DC.